You are here

Justice News

Department of Justice

U.S. Attorney’s Office

Northern District of California

FOR IMMEDIATE RELEASE

Friday, December 6, 2013

Thirteen Defendants Plead Guilty For December 2010 Cyber-Attack Against PayPal

SAN JOSE – Thirteen defendants pleaded guilty in federal court in San Jose yesterday to charges related to their involvement in the cyber-attack of PayPal’s website as part of the group “Anonymous,” United States Attorney Melinda Haag announced. One of the defendants also pleaded guilty to the charges arising from a separate cyber-attack on the website of Santa Cruz County.

In pleading guilty, the defendants admitted to carrying out a Distributed Denial of Service (DDoS) cyber-attack against PayPal in December 2010.

These DDoS attacks were facilitated by software tools designed to damage a computer network’s ability to function by flooding it with useless commands and information, thus, denying service to legitimate users. A group calling itself “Anonymous” claimed responsibility for the attacks, saying they conducted the attacks in protest of the companies’ and organizations’ actions. The attacks were facilitated by the software tools “Anonymous” made available for free download on the Internet. The victims included major U.S. companies across several industries.

According to the plea agreements and statements made in court, in late November 2010, WikiLeaks released a large amount of classified United States State Department cables on its website. Citing violations of the PayPal terms of service, and in response to WikiLeaks’ release of the classified cables, PayPal suspended WikiLeaks’ accounts such that WikiLeaks could no longer receive donations via PayPal. WikiLeaks’ website declared that PayPal’s action “tried to economically strangle WikiLeaks.”

The plea agreements further state that, in retribution for PayPal’s termination of WikiLeaks’ donation account, Anonymous coordinated and executed DDoS attacks against PayPal’s computer. Anonymous referred to these co-ordinated attacks on PayPal as “Operation Avenge Assange.”

With the exception of Valenzuela, Phillips and Miles, each of the defendants pleaded guilty to one count of Conspiracy, in violation of 18 USC 1030(b)(Felony), and one count of Intentional Damage to a Protected Computer, in violation of 18 USC 1030(a)(5)(A)(Misd.). Defendant Valenzuela pleaded guilty to one count of Reckless Damage to a Protected Computer, in violation of 18 USC 1030(a)(5)(A)(Misd.). Defendants Phillips and Miles were permitted to plead guilty to one count each of Intentional Damage to a Protected Computer, in violation of 18 USC 1030(a)(5)(A)(Misd.) only.

The terms of the plea agreements allow that unless a defendant violates any of the terms of the plea agreement or fails to accept responsibility, at the time of sentencing, the defendant may make an unopposed motion to withdraw his/her guilty plea to Count One, Conspiracy to Commit Intentional Damage to a Protected Computer in violation of 18 U.S.C. 1030(b) and the government will dismiss Count One, leaving only the misdemeanor count of violating of 18 U.S.C. 1030(a)(5)(A) to be entered as a final judgment against the defendant.

Defendant Joshua John Covelli also pleaded guilty to executing a DDoS attack (with another defendant, presently a fugitive) against the Santa Cruz County web server, admitting that it was in retaliation for a statute enacted by the City of Santa Cruz. The City of Santa Cruz enacted Section 6.36.010 of its Municipal Code, entitled “Camping Prohibited,” which contained restrictions and definitions on camping within Santa Cruz City. In response to the enforcement of Section 6.36.010, protesters occupied the Santa Cruz County Courthouse premises from approximately July 4, 2011 to October 2, 2011. Law enforcement officers from Santa Cruz County disbanded the protest and several protesters were charged with misdemeanors crimes in Santa Cruz County.

According to Covelli’s plea agreement and statements in court, in retribution for Santa Cruz City’s enforcement of Section 6.36.010 of the Municipal Code, and Santa Cruz County’s disbandment of the protest, Covelli and others, calling themselves the “People’s Liberation Front’” or “PLF,” and claiming to be associated with the “Anonymous” group, co-ordinated and executed an attack against Santa Cruz County’s computer servers. The PLF referred to these coordinated attacks on Santa Cruz County as “Operation Peace Camp 2010.”

The defendants are currently released on bond.

The sentencing hearings for twelve of the defendants are scheduled for December 4, 2014 at 10:00 a.m. before the Honorable D. Lowell Jensen, United States District Court Judge, in San Jose. Tracy Valenzuela’s sentencing hearing is scheduled for November 20, 2014 at 10:00 a.m. before Judge Jensen as well. The maximum statutory penalty for each count in violation of 18 United States Code, Section 1030(b) – Conspiracy (Felony), is 5 years imprisonment and a $250,000 fine; for each count in violation of 18 United States Code, Section 1030(a)(5)(A) – Intentional Damage to a Protected Computer (Felony), is 10 years imprisonment and a $250,000 fine; for each count in violation of 18 United States Code, Sections 1030(a)(5)(A) & (c)(4)(G)(i) – Intentional Damage to a Protected Computer (Misd.) is 1 year in prison and a $100,000 fine, and for each count in violation of 18 United States Code, Sections 1030(a)(5)(A) & (c)(4)(G)(i) – Reckless Damage to a Protected Computer (Misd.) is 1 year in prison and a $100,000 fine.

However, any sentence will be imposed by the court only after consideration of the U.S. Sentencing Guidelines and the federal statute governing the imposition of a sentence, 18 U.S.C. § 3553.

Matt Parrella and Hanley Chew are the Assistant U.S. Attorneys who prosecuted the case with the assistance of Elise Etter. The prosecution is the result of an investigation by the Federal Bureau of Investigation, along with cooperation from PayPal. Authorities in the Netherlands, Germany and France have also taken their own investigative and enforcement actions.

The National Cyber-Forensics and Training Alliance, a public-private partnership whose mission to identify, mitigate, and neutralize cyber-crime, also provided assistance.